apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: authorizationrules.deckhouse.io
  labels:
    heritage: deckhouse
    module: user-authz
spec:
  group: deckhouse.io
  scope: Namespaced
  names:
    plural: authorizationrules
    singular: authorizationrule
    kind: AuthorizationRule
  preserveUnknownFields: false
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          description: |
            Manages RBAC and authorization settings within a particular namespace.
          required:
          - spec
          properties:
            spec:
              type: object
              required:
              - subjects
              properties:
                accessLevel:
                  type: string
                  description: |
                    Access level:
                    * `User` — has access to information about all objects (including viewing pod logs) but cannot exec into containers, read secrets, and perform port-forwarding;
                    * `PrivilegedUser` — the same as `User` + can exec into containers, read secrets, and delete pods (and thus, restart them);
                    * `Editor` — is the same as `PrivilegedUser` + can create and edit all objects that are usually required for application tasks;
                    * `Admin` — the same as `Editor` + can delete service objects (auxiliary resources such as `ReplicaSet`, `certmanager.k8s.io/challenges` and `certmanager.k8s.io/orders`);

                  enum: [User,PrivilegedUser,Editor,Admin]
                  x-doc-examples: ['PrivilegedUser']
                portForwarding:
                  type: boolean
                  default: false
                  description: |
                    Allow/disallow the user to do `port-forwarding`.
                allowScale:
                  type: boolean
                  default: false
                  description: |
                    Defines if scaling of Deployments and StatefulSets is allowed/not allowed.
                subjects:
                  type: array
                  description: |
                    Users and/or groups to grant privileges.

                    [Kubernetes API reference...](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#subject-v1-rbac-authorization-k8s-io)

                    Pay attention to the following nuances if this module is used together with the [user-authn](https://deckhouse.io/documentation/v1/modules/150-user-authn/) module:
                    - Use the user's `email` as the username to grant privileges to the specific user;
                    - When specifying a group, make sure that the necessary groups are allowed to be received from the provider, i.e., they are defined in the corresponding custom resource [DexProvider](https://deckhouse.io/documentation/v1/modules/150-user-authn/cr.html#dexprovider).
                  items:
                    type: object
                    required:
                    - kind
                    - name
                    properties:
                      kind:
                        type: string
                        enum: [User, Group, ServiceAccount]
                        description: 'Type of user identification resource.'
                        x-doc-examples: ['Group']
                      name:
                        type: string
                        description: 'Resource name.'
                        x-doc-examples: ['some-group-name']
                      namespace:
                        type: string
                        minLength: 1
                        maxLength: 63
                        pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?'
                        description: 'ServiceAccount namespace.'
